mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
17ba58aa4b
We were comparing the current connection with itself so were never going to call nss_shutdown(). dbdir needs to be set after the connection has been made. This worked on single server installs because we don't do a ping so NSS would never be pre-initialized. If multiple servers are available we call ping() to find one that is up before submitting the request, this is what would have pre-initialized NSS. This was tripping up request-cert because it will intialize NSS with no DB if it hasn't been initialized. We need to initialize it to validate the CSR. A non-working client was doing this when calling cert-request: - call load_certificate_request() - nss.nss_nodb_init() - load the CSR - create a connection, dbdir=/etc/pki/nssdb - the dbdir matches within the same connection, don't call nss_shutdown() - connect to remote server - fail, untrusted CA because we are still using db from nss_nodb_init. Instead if we set dbdir afterward then this will properly be shutdown and NSS re-initialized with correct dbdir. https://fedorahosted.org/freeipa/ticket/2498
IPA Server
What is it?
-----------
For efficiency, compliance and risk mitigation, organizations need to
centrally manage and correlate vital security information including:
* Identity (machine, user, virtual machines, groups, authentication
credentials)
* Policy (configuration settings, access control information)
* Audit (events, logs, analysis thereof)
Since these are not new problems. there exist many approaches and
products focused on addressing them. However, these tend to have the
following weaknesses:
* Focus on solving identity management across the enterprise has meant
less focus on policy and audit.
* Vendor focus on Web identity management problems has meant less well
developed solutions for central management of the Linux and Unix
world's vital security info. Organizations are forced to maintain
a hodgepodge of internal and proprietary solutions at high TCO.
* Proprietary security products don't easily provide access to the
vital security information they collect or manage. This makes it
difficult to synchronize and analyze effectively.
The Latest Version
------------------
Details of the latest version can be found on the IPA server project
page under <http://www.freeipa.org/>.
Documentation
-------------
The most up-to-date documentation can be found at
<http://freeipa.org/page/Documentation/>.
Quick Start
-----------
To get started quickly, start here:
<https://fedorahosted.org/freeipa/wiki/QuickStartGuide>
Licensing
---------
Please see the file called COPYING.
Contacts
--------
* If you want to be informed about new code releases, bug fixes,
security fixes, general news and information about the IPA server
subscribe to the freeipa-announce mailing list at
<https://www.redhat.com/mailman/listinfo/freeipa-interest/>.
* If you have a bug report please submit it at:
<https://bugzilla.redhat.com>
* If you want to participate in actively developing IPA please
subscribe to the freeipa-devel mailing list at
<https://www.redhat.com/mailman/listinfo/freeipa-devel/> or join
us in IRC at irc://irc.freenode.net/freeipa